I’ve been thinking about industrial controls security lately. One question that keeps getting asked is, “Why haven’t the predicted attacks happened?” Apparently Dale Peterson at @digitalbond keeps getting asked the same question.
Dale Peterson writes some convincing reasons this morning on his blog. He quite rightly points out that NSA does what NSA is told to do, and that NSA will do whatever they CAN do, within their interpretation of the rules. We should be looking beyond NSA. He also points out that @digitalbond does not concern itself with ethics, but with security. While I suspect that ethics will come creeping in eventually, I understand his reasoning.
This picture was posted by the NY Times and purports to be a server room at Huawei, which NSA has been apparently attacking for years. If we are committing offensive activity, is there a reason to assume we will not face retaliation?
Dale points out that there are more incidents than we know about. He also notes that there is an apparent lack of motive for ICS cybercrime. He also notes that there are potentially large consequences for anyone who does enough damage to the infrastructure to damage the environment or the economy.
I agree with nearly everything Dale wrote, this morning, and I want to offer one more reason.
The truth is that any major cyber attack (like bringing down the Western States Electric Grid) or taking out a very large refinery, or chemical plant, or a rolling wave of attacks– all of which can be done, and all of which are relatively easy to do– will destabilize the economy of the entire world. Civilization, such as it is, is fragile, very fragile, and easy to break. It’s not so easy to rebuild. Just ask 6th century Romans. Ask Chinese historians.
In order to commit such an act or series of acts, it requires a group (government backed or not) who are angry enough, for whatever reason, to want the end of the world as we know it to happen. TEOTWAWKI is only going to happen when someone who has the means, decides on a motive.
I am less sure of a nation state deciding to go this route than I would be of a terrorist organization from anywhere. Note that I didn’t say Islamist terrorist organization. There are many other organizations with other agendas. Radical environmentalists, anarchists, religious fundamentalists who want to “help along” the End Times. There are lots. A nation state would have to have a plan to survive fundamentally unscathed after bringing down the economy of the world. That’s hard to do.
So, what to do? We cannot rip and replace all the ICS systems in the world. There isn’t enough money available to do it. Even though we probably should. And besides, there’s no guarantee that any new systems, regardless of how designed to be secure they are designed to be, will be any more secure. They make smarter offensive strategists every day.
No, what has to happen is that there needs to be a combination of better design, security appliances, and better security practices in the critical infrastructure industries. That’ll be a long, tough slog, but it beats hiding under a desk waiting for the blast.
Technical Services And Strategic Consulting For Technology Companies
